b'         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                   Catalyst for Improving the Environment\n\n\nSpecial Report\n\n\n\n\n       Assessing EPA\xe2\x80\x99s Efforts to\n       Protect Sensitive Information\n\n       Report No. 2006-S-00006 \n\n\n\n       September 19, 2006\n\n\x0cReport Contributors:               Rudolph M. Brevard\n                                   Charles Dade      \n\n                                   Cheryl Reid     \n\n\n\n\n\nAbbreviations\n\nCIO          Chief Information Officer\nDCI          Data Collection Instrument\nECIE         Executive Council on Integrity and Efficiency\nEPA          U.S. Environmental Protection Agency\nFAEC         Federal Audit Executive Council\nIG           Inspector General\nIT           Information Technology\nNIST         National Institute of Standards and Technology\nOMB          Office of Management and Budget\nPAS          Privacy Act Statement\nPCIE         President\xe2\x80\x99s Council on Integrity and Efficiency\nPDA          Personal Digital Assistant\nPII          Personally Identifiable Information\nSP           Special Publication\nVPN          Virtual Private Network\n\x0c                     UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                  WASHINGTON, D.C. 20460\n\n\n\n\n                                                                                    OFFICE OF \n\n                                                                               INSPECTOR GENERAL\n\n\n\n\n                                      September 19, 2006\n\nMEMORANDUM\n\nSUBJECT:              Assessing EPA\xe2\x80\x99s Efforts to Protect Sensitive Information\n                      Report No. 2006-S-00006\n\nTO:                   Charles Coe\n                      President\xe2\x80\x99s Council on Integrity and Efficiency\n\n\nAttached is the U.S. Environmental Protection Agency Office of Inspector General\xe2\x80\x99s completed\nData Collection Instrument, as prescribed by the President\xe2\x80\x99s Council on Integrity and Efficiency\n(PCIE) to use in meeting its requirements under Office of Management and Budget (OMB)\nMemorandum M-06-16, Protection of Sensitive Agency Information.\n\nIn accordance with the PCIE Federal Audit Executive Council reporting instructions, I am\nforwarding this report to you for consolidation with other Federal Agency OIG reports, and\nsubsequent submission to the Director, OMB. Should you have any questions regarding this\nreport, please contact Rudolph Brevard at (202) 566-0893 or brevard.rudy@epa.gov, or Cheryl\nReid at (919) 541-2256 or reid.cheryl@epa.gov.\n\n\n                                            Sincerely,\n\n\n\n                                            Bill A. Roderick\n                                            Acting Inspector General\n\x0c                                                                   APPENDIX I: IG DATA COLLECTION INSTRUMENT\n\nThis data collection instrument (DCI) was developed by the Federal Audit Executive Council (FAEC) Information Technology (IT) Committee of the President\xe2\x80\x99s Council on Integrity and Efficiency\n(PCIE)/Executive Council on Integrity and Efficiency (ECIE) to assist Inspectors General (IGs) in determining their Agency\'s compliance with Office of Management and Budget (OMB)\nMemorandum M-06-16. The data collection instrument contains three parts. The first part is based on a security checklist developed by the National Institute of Standards and Technology (NIST)\n(see Section 1 below). Questions in the DCI are designed to assess Agency requirements in the memorandum, which are linked to NIST Special Publication (SP) 800-53 and 800-53A. Each IG\ncan use the associated checklist and the relevant validation techniques for their own unique operating environment. Section 2 is the additional actions required by OMB M-06-16. Section 3 should\ndocument your overall conclusion as well as detailed information regarding the type of work completed and the scope of work performed.\n\n\nFor each overall Step and Action Item, please respond yes, no, partial, or not applicable. For no, partial, and not applicable responses, please provide additional information in the comments\nsections. After the yes, no, partial, or not applicable response, IGs have the option to provide an overall response using the six control levels as defined below for the overall Step. Each condition\nfor the lower level must be met to achieve a higher level of compliance and effectiveness. For example, for the control level to be defined as "Implemented", the Agency must also have policies\nand procedures in place. The determination of the control level for each Step should be based on the responses provided to the Action Items included in that Step.\n\nControls Not Yet in Place - The answer would be "Controls Not Yet in Place" if the Agency does not yet have documented policy for protecting personally identifiable information (PII).\nPolicy - The answer would be "Policy" if controls have been documented in Agency policy.\nProcedures - The answer would be "Procedures" if controls have been documented in Agency procedures .\nImplemented - The answer would be "Implemented" if the implementation of controls has been verified by examining procedures and related documentation and interviewing personnel to\ndetermine that procedures are implemented .\nMonitor & Tested - The answer would be "Monitor & Tested" if documents have been examined and interviews conducted to verify that policies and procedures for the question are implemented\nand operating as intended.\nIntegrated - The answer would be "Integrated" if policies, procedures, implementation, and testing are continually monitored and improvements are made as a normal part of Agency business\nprocesses.\n\n\n\n\n                                                                                                  A - 1\n\n\x0c                                                                     APPENDIX I: IG DATA COLLECTION INSTRUMENT\n\n                         PLEASE PROVIDE YOUR RESPONSES USING THE DROP DOWN MENU IN GRAY\nSection One\nSecurity Controls and Assessment Procedures\n\nSecurity Checklist For Personally Identifiable Information That Is To Be Transported\n\n\n\nand/ or Stored Offsite, Or That Is To Be Accessed Remotely\n                                                                                                          REQUIRED RESPONSE OPTIONAL               RESPONSE\n                                                                                                                            Controls Not Yet in Place\n                                                                                                                  Yes       Policy\n                                                                                                                  No        Procedures\n                                              Procedure                                                          Partial    Implemented\n                                                                                                             Not Applicable Monitor & Tested\n                                                                                                                            Integrated\nSTEP 1: Has the Agency confirmed identification of personally identifiable information\nprotection needs? If so, to what level?                                                                             Partial\nAction Item 1.1: Has the Agency verified information categorization to ensure identification of\npersonal identifiable information requiring protection when accessed remotely or physically\nremoved?                                                                                                            Partial\nComments: Agency representatives stated during Phase I of the Personally Identifiable Information (PII) Workgroup\'s Action Plan they reviewed 43 existing\nSystems of Records Notices to determine: 1) if the collection is still necessary, 2) if all the PII elements are required, 3) if there are elements being collected\nunnecessarily that can be removed, and 4) if the routine uses are still relevant. The Agency has not yet identified all PII; this is listed as a planned tasks during\nPhase II in the Workgroup\'s Action Plan.\nAction Item 1.2: Has the Agency verified existing risk assessments?                                                   No\nComments: The Agency has not yet established a baseline of all Agency systems that contain PII.\nOVERALL STEP 1 COMMENTS: The Agency has not yet identified all PII.\n\n                                                                                                          REQUIRED RESPONSE OPTIONAL                          RESPONSE\n\n                                                                                                                   Yes               Controls Not Yet in Place\n                                                                                                                   No                Policy\n                                              Procedure                                                           Partial            Procedures\n                                                                                                              Not Applicable\n\n\nSTEP 2: Has the Agency verified the adequacy of organizational policy? If so, to what level?                       Partial\nAction Item 2.1: Has the Agency identified existing organizational policy that addresses the\ninformation protection needs associated with personally identifiable information that is accessed\nremotely or physically removed?                                                                                     Yes\nComments: The Agency implemented an interim Policy for Protecting PII. The policy addresses implementing specific safeguards for protecting PII that is\naccessed remotely or physically removed.\n\n\n                                                                                                    A-2\n\x0c                                                                    APPENDIX I: IG DATA COLLECTION INSTRUMENT\n\nAction Item 2.2: Does the existing Agency organizational policy address the information protection\nneeds associated with personally identifiable information that is accessed remotely or physically\nremoved?                                                                                                        Partial\n\n                                                                                                                 Yes\n\n1. For personally identifiable information physically removed:                                                  Partial\n\na. Does the policy explicitly identify the rules for determining whether physical\n\nremoval\nb.       is allowed?\n   For personally identifiable information that can be removed, does the policy\n\n require that information be encrypted and that appropriate procedures, training\n and accountability measures are in place to ensure that remote use of this\n                                                                                                                 Yes\n encrypted information does not result in bypassing the protection provided by\nthe encryption?\n 2. For personally identifiable information accessed remotely:\n                                                                                                                  No\na. Does the policy explicitly identify the rules for determining whether remote\n\naccess is allowed?\nb. When remote access is allowed, does the policy require that this access be                                    Yes\n\n accomplished via a virtual private network (VPN) connection established using\n Agency-issued authentication certificate(s) or hardware tokens?\n c. When remote access is allowed, does the policy identify the rules for\nComments: The Agency implemented an interim Policy for PII. This policy addresses specific safeguards for protecting PII that is accessed remotely or physically removed by employees.\nHowever,  thiswhether\n determining   interim policy doesand\n                       download    notremote\n                                        includestorage\n                                                requirements   for ensuringisthat: 1) appropriate training and accountability measures are in place, and 2) a VPN connection established using Agency-\n                                                       of the information\nissued authentication certificate(s) or hardware tokens is used for remote access of PII. In addition, the policy does not address encryption requirements for transporting and/or remotely storing\nallowed? (For example, the policy could permit remote access to a database,\nbackup media that contain PII.\nbut prohibit downloading and local storage of that database.)\nAction Item 2.3: Has the organizational policy been revised or developed as needed, including\nsteps 3 and 4?                                                                                                      Partial\nComments: All PII data in electronic format taken offsite by an employee must be encrypted. The Agency has not yet identified all instances where PII is being\ntransported to and stored at remote sites.\n\n\nOVERALL STEP 2 COMMENTS: The Chief Information Officer\'s (CIO\'s) interim policy does not include specific requirements for: 1) training and\naccountability measures, 2) using a VPN connection established using Agency-issued authentication certificate(s) or hardware tokens for all remote\naccess of PII, and 3) encrypting backup media containing PII that is transported and/or stored offsite.\n\n\n\n\n                                                                                                  A-3\n\x0c                                                                    APPENDIX I: IG DATA COLLECTION INSTRUMENT\n\n\n                                                                                                                                   Controls Not Yet in Place\n                                                                                                                  Yes              Policy\n                                                                                                                  No               Procedures\n                                             Procedure                                                           Partial           Implemented\n                                                                                                            Not Applicable         Monitor & Tested\n                                                                                                                                   Integrated\n                                                                                                                 Partial\nSTEP 3: Has the Agency implemented protections for personally identifiable information\nbeing transported and/or stored offsite? If so, to what level?\nAction Item 3.1: In the instance where personally identifiable information is transported to a remote\nsite, have the NIST Special Publication 800-53 security controls ensuring that information is\ntransported only in encrypted form been implemented?                                                             Partial\n\n\nComments: The CIO\'s interim policy states that all PII data in electronic format taken offsite by an employee must be encrypted. All encryption technologies used\n * Evaluation\nto            could\n   transport and    include\n                  work      an assessment\n                        on PII offsite mustofbe\n                                              tools used to transport\n                                                 validated  accordingPII\n                                                                      tofor\n                                                                         theuse of encryption.\n                                                                             Federal   Information Planning Standards 140-2. The Agency has not yet identified all\ninstances when backup media that contain PII is being transported to remote sites and whether transportation methods use encryption.\nAction Item 3.2: In the instance where PII is being stored at a remote site, have the NIST SP 800-\n53 security controls ensuring that information is stored only in encrypted form been implemented?                      No\n\n\n\n\n* Evaluation could\nComments:          include has\n             The Agency    a review of remote\n                                not yet        site facilities\n                                        identified             and operations.\n                                                    all instances   when backup media that contain PII is being stored at remote sites and whether storage methods use\nencryption.\nOVERALL STEP 3 COMMENTS: The Agency has not yet identified all instances where PII is being transported and/or stored offsite.\n\n\n\n\nIf personally identifiable information is to be transported and/or stored offsite\nfollow Action Item 4.3, otherwise follow Action Item 4.4\n\n\n\n\n                                                                                                   A - 4\n\n\x0c                                                                  APPENDIX I: IG DATA COLLECTION INSTRUMENT\n\n\n                                                                                                     REQUIRED RESPONSE OPTIONAL               RESPONSE\n                                                                                                                       Controls Not Yet in Place\n                                                                                                             Yes       Policy\n                                                                                                             No        Procedures\n                                            Procedure                                                       Partial    Implemented\n                                                                                                        Not Applicable Monitor & Tested\n                                                                                                                       Integrated\nSTEP 4: Has the Agency implemented protections for remote access to personally                               No\nidentifiable information? If so, to what level?\nAction Item 4.1: Have NIST Special Publication 800-53 security controls requiring authenticated,\nvirtual private network (VPN) connection been implemented by the Agency?                                       No\n\n\n\nComments: The Agency has several remote access methods. One method has a VPN and is used mainly by external business partners (nonemployees) to access\nEPA networks. However, the CIO\'s interim policy directs employees to use two specific remote access methods, neither of which include the VPN remote access\n* Evaluation could include a review of the configuration of VPN application(s).\nmethod.\nAction Item 4.2: Have the NIST Special Publication 800-53 security controls enforcing allowed\ndownloading of personally identifiable information been enforced by the Agency?                                No\n\n\n\nComments: The Agency has not identified all PII. In addition, the interim Agency policy does not include all NIST SP 800-53 security controls. For example, the\npolicy does not include NIST SP 800-53 AC- 4 "Information Flow Enforcement" Control. This control requires that the information system enforces assigned\n * Evaluation could\nauthorizations      include a the\n               for controlling review\n                                   flowofofcontrols for downloading\n                                            information               PII. and between interconnected systems in accordance with applicable policy.\n                                                         within the system\nIf remote storage of personally identifiable information is to be permitted follow\nAction Item 4.3, otherwise follow Action Item 4.4.\n\nAction Item 4.3: Have the NIST Special Publication 800-53 security controls enforcing encrypted remote storage of personally identifiable information been\nimplemented by the Agency?\n                                                                                                              No\nComments: The Agency has not yet identified all instances of remotely stored PII. The Agency has not enforced that all remotely stored PII be encrypted.\nAction Item 4.4: Has the Agency enforced NIST Special Publication 800-53 security controls\nenforcing no remote storage of personally identifiable information?                                      Not Applicable\n\nComments:\n\n\nOVERALL STEP 4 COMMENTS: The Agency has several remote access methods. One method has a VPN and is used mainly by external business\npartners (nonemployees) to access EPA networks. However, the policy does not require the use of a VPN to remotely access PII. In addition, Agency\npolicy does not address all controls specified in SP NIST 800-53. Furthermore, the Agency has not yet identified all PII that is remotely transported\nand/or stored or enforced encryption of this PII.\n(The source for all the control steps above is NIST SP 800-53 and SP 800-53A assessment procedures.)\n\n                                                                                                A - 5\n\n\x0c                                                                   APPENDIX I: IG DATA COLLECTION INSTRUMENT\n\nSection Two\n\n                     Additional Agency Actions Required by OMB M-06-16\n\n                                                                                                                Yes\n                                                                                                                No\n                                             Procedure                                                         Partial\n                                                                                                           Not Applicable\n\n1. Has the Agency encrypted all data on mobile computers/devices which carry Agency data unless\nthe data is determined to be non-sensitive, in writing by Agency Deputy Secretary or an individual\nhe/she may designate in writing?                                                                                  No\nComments: The Agency does not encrypt all data on mobile computers/devices unless the data is determined to be non-\nsensitive, in writing by the Deputy Administrator or designee. Instead, the CIO\'s interim policy requires Senior Information\nOfficials (SIOs) to approve, in writing, employees who work on PII at offsite locations and that this PII must be encrypted.\nEmployees are prohibited from downloading and/or locally storing PII unless specifically authorized in writing by the SIO. If\nauthorized by the SIO to download and/or locally store PII, employees must save PII files in an encrypted form. SIO\xe2\x80\x99s must\nestablish procedures to document all approved downloads and/or local storage of PII and document proper encryption.\n\n2. Does the Agency use remote access with two-factor authentication where one of the factors is\nprovided by a device separate from the computer gaining access?                                                 Partial\nComments: EPA\'s Remote Access Website identifies several forms of remote access. Two of the methods are described on\nthe website as (1) having two-factor authentication and (2) encrypting the entire remote access session.\n\n3. Does the Agency use a \xe2\x80\x9ctime-out\xe2\x80\x9d function for remote access and mobile devices requiring user\nre-authentication after 30 minutes inactivity?                                                                Partial\nComments: The Agency has several remote access methods. The Agency policy requires time-out settings of 30 minutes for\ntwo of the remote access methods. The Agency\'s Chief Technology Officer has issued a memorandum requiring Information\nResource Management Branch Chiefs, Information Security Officers, and Information Management Officers to help\nemployees implement setting of Blackberry devices to time-out at 30 minutes or less. If employees utilize a PDA other than a\nBlackberry, they must follow these same practices and enable their device\xe2\x80\x99s password protection capabilities.\n\n4. Does the Agency log all computer-readable data extracts from databases holding sensitive\ninformation and verifies each extract including sensitive data has been erased within 90 days or its\nuse is still required?\n\nComments: The CIO issued an interim policy on August 23, 2006. It requires all SIOs throughout the Agency to approve, in\nwriting, employees who work on PII at offsite locations by using a mandatory approval form included in this policy. Each SIO\nmust establish procedures to document all approved downloads and/or local storage of PII. Each SIO must also ensure that\nall such PII has been erased within 90 days using the tools and procedures appropriate to individual file deletion, according to\nthe EPA Procedures for Disk Sanitization, or verify and authorize its continued use. Due to the short time interval between the\ndate the policy was issued and our reporting deadline, we were unable to verify whether these procedures were established\nand implemented throughout the Agency. We plan to audit EPA\'s PII controls in FY 2007.\n\n\n                                                                                                 A - 6\n\n\x0c                                                                  APPENDIX I: IG DATA COLLECTION INSTRUMENT\n\nSection Three\n\nTo assist the PCIE/ECIE in evaluating the results provided by individual IGs and in creating the government-wide response, please provide the following information:\nType of work completed (i.e., assessment, evaluation, review, inspection, or audit).\nOIG Response: Assessment - Due to the time constraints, the scope of our work involved focused interviews and examinations of documents. We plan to audit EPA\'s PII controls in FY 2007.\nScope and methodology of work completed based on the PCIE/ECIE review guide Step 2 page 4. (Please address the coverage of your assessment, and include any comments you\ndeem pertinent to placing your results in the proper context.)\nOIG Response: We conducted focused interviews with EPA\'s Security and Privacy Offices. We performed focused examinations of the 1) CIO\'s Interim Policy and Procedures for Protecting\nPersonally Identifiable Information, 2) Office of Environmental Information Website describing remote access methods, 3) PII Workgroup Action Plan, 4) list of Systems of Records Notices, and 5)\nAgency memorandum on configuring Blackberry and PDA devices.\n                                                               Assessment Methodologies Used to Complete the DCI Sections\n                                                                                                                                          Mark All That Apply\n\n                                                                                                                                       Section One                                       Section\n                                                                                                                                                                                          Two\n                                                                                                              Step 1                          Step 2                   Step 3   Step 4\nInterviews (G/F/C)                                                                                               F                                                       F        F\nExaminations (G/F/C)                                                                                             F                               F                       F        F         F\nTests (independently verified - Y/N)                                                                            N                               N                        N        N         N\n\n\nAssessment Method Descriptions consistent with NIST SP 800-53A - Appendix D pages 34 - 36.\nG = Generalized. F = Focused. C = Comprehensive. Y = Yes. N = No.\n\n\n\n\n                                                                                                A-7\n\x0c                                                                    APPENDIX I: IG DATA COLLECTION INSTRUMENT\n\nOverall Summary Statement. (Please refer to page five of the review guide for sample language for summary statements.)\nBased on our assessment, we found that the Agency has taken the following steps to protect its sensitive personal information:\n     Created a PII Workgroup and three phase Action Plan.\n\xe2\x80\xa2      \xe2\x88\x92 During Phase I the workgroup reviewed the Agency\'s existing Systems of Records Notices to determine: (1) if the collection is still necessary, (2) if all the PII elements are required, (3) if\nthere are PII elements being collected unnecessarily and can be removed, and (4) if the routine uses (i.e., disclosures to other parties) are still relevant.\n      \xe2\x88\x92 During Phase II the workgroup plans to: 1) establish Agency baseline of systems that contain PII by identifying all Agency systems that require Privacy Impact Assessments and\ndetermining if additional Systems of Records Notices are needed, 2) review Agency forms to determine if PII is collected; if any/all PII elements on the form are needed; ensure Privacy Act\nStatement (PAS) is present on form collecting PII and whether the PAS is adequate, 3) review final draft Privacy Policy to ensure PII concerns are adequately addressed and 4) determine the\nprocedures required to fully implement the Privacy Policy.\n      \xe2\x88\x92 During Phase III the workgroup plans to: 1) identify critical training needs, 2) coordinate Security and Privacy Oversight Responsibilities/Activities, 3) address privacy in Agency contracts,\nand 4) submit report to the Administrator.\n     Issued CIO Policy Transmittal 06-011: Interim Policy and Procedures for Protecting Personally Identifiable Information (PII).\n\xe2\x80\xa2    Updated the Standard Configuration Document for Blackberry Devices to Safeguard Information.\n\xe2\x80\xa2\nThe Agency needs to improve in the following areas:\n    Identify all PII information.\n\xe2\x80\xa2   Ensure the policy includes specific requirements for 1) training and accountability measures, 2) using a VPN connection established using Agency-issued authentication certificate(s) or\n \xe2\x80\xa2\nhardware tokens for all remote access of PII, and 3) encrypting PII that is transported and/or stored offsite.\n\n\n\n\n                                                                                                  A-8\n\x0c                                    Distribution\n\nOffice of the Administrator\nAgency Followup Official\nAgency Followup Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nActing Inspector General\n\x0c'